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1 Introduction 

In these lectures a brief introduction to quantum computing and number theory is given and 
Shor's algorithm for factoring integers is described. The lectures are based on the material 
from the forthcoming book [|TJ . 

Let us discuss the problem of factoring. It is known that every integer N is uniquely 
decomposable into a product of prime numbers. However we do not know efficient (i.e. 
polynomial in the number of operations) classical algorithms for factoring. Given a large 
integer N, one has to find efficiently such integers p and q that iV = pq or to prove that such 
a factoring does not exist. It is assumed that p and q are not equal to 1. 

An algorithm of factoring the number N is called efficient if the number of elementary 
arithmetical operations which it uses for large N is bounded by a polynomial in n where 
n = log N is the number of digits in N. 

The most naive factoring method would be just divide N by each number from 1 to y/N . 
This requires at least \/N operations. Since \/N = 2^ logN is exponential in the number of 
digits n = logiV in iV this method is not an efficient algorithm. There is no known efficient 
classical algorithm for factoring but the quantum polynomial algorithm does exist. 

The best classical factoring algorithm which is currently known is the number field sieve 
[[J. It requires asymptotically 

exp(cn 1/3 (logn) 2/3 ) 

operations for some constant c, i.e. it is exponential in n 1 / 3 . P. Shor H has found a quantum 
algorithm which takes asymptotically 

O {n 2 log n log log n) 



2 



i.e. only a polynomial number of operations on a quantum computer along with a polynomial 
amount of time on a classical computer. 

In these lectures an exposition of Shor's quantum algorithm for factoring integers is 
given together with a short introduction to quantum computing and number theory. In the 
description of Shor's algorithm we essentially follow his original presentation ||, see also [|J. 

It is known that using randomization the factorization of N can be reduced to finding 
the order of an arbitrary element m in the multiplicative group of residues modulo N; that 
is the least integer r such that 

m r = 1 (mod N) 

The reduction will be discussed below in Sect. 9. Therefore to factorize N it is enough to 
find the order r of m. 

Shor's algorithm for finding the order consists of 5 steps: 

1. Preparation of quantum state. 

2. Modular exponentiation. 

3. Quantum Fourier transform. 

4. Measurement. 

5. Computation of the order at the classical computer. 

These steps will be discussed in details. In Sections 2 and 3 elementary notions of 
theory of algorithms and quantum computing are discussed. In particular a general notion 
of algorithm is formulated. In Sect. 4 the quantum Fourier transform is considered. In Sect. 5 
some relevant results of number theory are collected. In Sect. 6 the modular exponentiation 
is considered. In Sect. 7 Shor's algorithm for finding the order is exposed. In Sect. 8 the 
computational complexity of Shor's algorithm is considered. Finally in Sect. 9 the reduction 
of problem of factorization to finding the order is discussed. 

The main results of the quantum algorithm for finding the order are given in Theorem 7.1 
on the lower bound for the probability of measurement and in Theorem 7.2 on the derivation 
of the order. Theorem 8.1 describes the computational complexity of the algorithm. The 
main result of the quantum algorithm for factoring is presented in Theorem 9.2. 

2 Algorithms 

Algorithm is a precise formulation of doing something. Algorithms play an important role in 
mathematics and in computers. Algorithms are employed to accomplish specific tasks using 
data and instructions. The notion of algorithm is an old one, there is for example the well 
known Euclid's algorithm for finding the greatest common divisor of two numbers. Let us 
exhibit Euclid's algorithm here. 

Euclid's algorithm. Given two positive integers m and n, find their greatest common 
divisor, i.e. the largest positive integer which divides both m and n. Here m and n are 
interpreted as variables which can take specific values. Suppose that m is greater then n. 
The algorithm consists from three steps. 

Step 1. Divide m by n and let r be the remainder. 

Step 2. If r = 0, the algorithm halts; n is the answer. 

Step 3. Replace the value of variable m by the current value of variable n, also replace 
the value of variable n by the current value of variable r and go back to Step 1. 
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An algorithm has input, i.e., quantity which is given to it initially before the algorithm 
begins. In Euclid's algorithm the input is a pair of two positive integers m and n. An 
algorithm has output, i.e., quantity which has a specified relation to the input. In Euclid's 
algorithm the output is n in Step 2, which is the greatest common divisor of two given 
integers. 

Exercise. Prove that the output of Euclid's algorithm is indeed the greatest common 
divisor. 

Hint: After Step 1, we have m = kn + r, for some integer k. Euclid's algorithm is 
considered below in Sect. 3. 

There are various approaches to precise formulation of the concept of algorithm. There 
exist classical and quantum algorithms. One of modern precise formulations of the notion of 
classical algorithm can be given by using Turing machines. Another approach to algorithms 
is based on the notion of circuits. Classical circuits and classical Turing machines are used as 
mathematical models of classical computer. Quantum circuits and quantum Turing machines 
are mathematical models of quantum computer. These important notions were introduced 
by D. Deutsch ||, |. 

Turing Machine. 

The concept of the Turing machine was introduced by A.M. Turing in 1936 for the study 
of limits of human ability to solve mathematical problems in formal way. Any reasonable 
classical algorithm can be implemented on a Turing machine (this is the so called A. Church 
thesis). 

A Turing machine has two main parts: a tape and a central unit with a head V (see 
Figure below). 



V 
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The tape is infinite in both directions and is divided into squares. Each square of the 
tape holds exactly one of the symbols from a finite set of symbols (a finite set of symbols 
is called an alphabet). The central unit with the head is in one of states from a finite set 
of states. The head sees at any moment of time one square of the tape and is able to read 
the content of the square as well as to write on the square. The input is written as a string 
(sequence) of symbols on the tape. The head starts in a prescribed state. In a single move, 
the Turing machine can read the symbol on the one square seen by its head, and based on 
that symbol and its current state, replace the symbol by a difference one, change its state, 
and move the head one square to the left, or one square to the right, or stays on the same 
square as before. 

A sequence of moves is called a computation. For some pairs of states and symbols on 
the tape the machine halts. In this case, symbols remaining on the tape form the output, 
corresponding to the original input. A Turing machine accepts some input strings if it halts 
on it. The set of all accepted strings is called a language accepted by the Turing machine. 
Such languages are called recursively enumerable sets. 

The Turing machine is a suitable model for the computational power of a classical com- 
puter. Its usefulness follows from the Church's thesis which may be reformulated as follows: 
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The computational power of the Turing machine represents a limit for any realizable classical 
computer. The Turing machine is considered for example in [[/[. 
General Notion of Algorithm. 

Let us indicate now one method which is general enough to include classical as well as 
quantum algorithms. Let us take two sets I and O. The set I will represent input and the 
set O represents output of our computation. Suppose the sets I and O are parts of a larger 
set S which will represent configurations of computation. Let G = {g±, ■■■■,g r } be a finite set 
of functions gi from S to S. Such functions are called gates in computing and G is called the 
basis of gates. They form the primitive elements from which we will design an algorithm. 
For example the gates can represent the basic logical operations AND, OR and NOT. Now 
let us be given a function / which maps the input set / to output set O. Our problem is to 
find a sequence of gates A = {g^g^, <?i fc } which computes the function / in the sense that 
the function can be represented as a composition of gates, i.e. for any input x G I one has 
f(x) = 9i 1 gi2~-9i k {%)- The sequence A is called the algorithm or the program of computation. 

Each input x in the set I defines a computational sequence, x ,Xi, ... as follows: x = x, 
x i — 9ii( x o)i ■••) x m — 9im{ x m-i)i ■■■■ One says that the computational sequence terminates 
in k steps if k is the smallest integer for which Xk is in O, and in this case it produces the 
output y = Xk from x. One says that the algorithm computes the function y = f(x). 

A more general approach would be if one admits that the functions gi and the function 
/ are not defined everywhere (such functions are called partial functions) and that not 
every computational sequence terminates. Moreover one can assume that the transition 
x m = gi m ( x m-i) takes place with a certain probability (random walk) and that the output 
space O is a metric space with a metric p. Then one says that the algorithm makes an 
approximate computation of a function f(x) with a certain probability if one gets a bound 
p(f( x ),x k ) < e. 

To summarize, the algorithm for the computation of the function / by using the pre- 
scribed set of gates is given by the data {S, /, O, G, A, /} described above. 

The set S for the classical Turing machine will be the set of all configurations of the 
Turing machine and the gates gi form the transition function. For a classical circuit the 
gates might be for example basic logical operations AND, OR and NOT. For quantum 
circuit and for quantum Turing machine the set S might be the Hilbert space of quantum 
states and the gates could be some unitary matrices and projection operators. 

An important issue in computing is the computational complexity. One would like to 
minimize the amount of time and memory needed to produce the output from a given input. 
For input x let t(x) — k be the number of steps until the computational sequence terminates. 
The computational time T of the algorithm is defined by 

T(n) = max{t(x) :| x \ = n} 

X 

where | x | is the length of the description of x. The actual length of the description depends 
on the model of computation. 

For input x let s(x) be the number of different elements in the computational sequence 
xq = x,x\, .... The computational space S of the algorithm is defined by 

S(n) = max{s(x) : s(x) = n} 

X 

We are interested, of course, to minimize the computational time T(n) and space S(n). 
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3 Quantum Circuits 



Quantum Mechanics. 

Quantum mechanics was created by W. Heisenberg and E. Schrodinger in 1925. Together 
with relativity theory it is the most fundamental theory in physics. There are two important 
points in quantum mechanics: 

• Quantum mechanics is a statistical theory. 

• Every quantum system assigns a Hilbert space. 

Vectors in the Hilbert space represent states of the quantum system, while self-adjoint 
operators represent observables. We will need only a finite dimensional Hilbert space which 
is the n-dimensional vector space C n with the scalar product 



If ip and are two vectors of the unit length then the probability to observe the state ip 
given the state is \(ip , (fi)\ 2 . 

Boolean Functions. Quantum circuits are quantum analogues of the classical circuits 
computing Boolean functions. The Boolean function f(x 1 , x n ) is a function of n variables 
where each variable takes values Xi — 0, 1 and the function also takes values and 1. If 
we denote B = {0, 1} then the function / is a map / : B n — > B. One considers also more 
general Boolean functions / : B n — > B m . A classical circuit can be represented as a directed 
acyclic graph. Similarly a quantum circuit is a sequence of unitary matrices of the special 
form associated with a (hyper)graph. We will need a special computational basis in the 
vector space. 

Computational basis in n— qubit space. 

The two-dimensional complex space C 2 is called qubit. We define in qubit the following 

computational basis 



The index x — 0, 1 in the basis (e x ) will be interpreted as a Boolean variable. We will 
use also the Dirac notations 



The n— tuple tensor product of qubits C 2 Cg> C 2 ...(g> C 2 = C 2 " is called the n— qubit space. 
It has a computational basis {e Xl <g> e X2 <g> ... <S> e Xn } where Xi = 0,1. We will use also the 
notation 



n 




i=l 
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If if) is a vector of the unit length in C 2 ™ then the probability to observe the Boolean 
variables Xi, ...,x n in the state ip is 

By using the Dirac notations one can write this expression also as 

| < x n , ...,xi | V > I 2 - 
Definition. A quantum circuit Q is defined by the following set of data: 

Q = {TC, U, G} 

where the Hilbert space TC is the n— qubit space Ti = C 2 ™, U is a unitary matrix in TC, and 
G = {Vx, V r } is a finite set of unitary matrices (quantum gates). The matrix U should 
admit a representation as a product of unitary matrices generated by the quantum gates 
described below ([[]). 

The dimension of unitary matrices Vi normally is less then the dimension 2 n of the Hilbert 
space TC and usually one takes matrices Vi which act in the 2— qubit or in the 3— qubit 
spaces. We fix the computational basis {e Xl <E> e X2 ® ... <E> e Xn } in TC and define an extension 
of the matrix Vi to a matrix in the space TC. The extension is constructed in the following 
way. If Vi is an I X I matrix then we choose I vectors from the computational basis and 
denote them as a = {hi, hi}. Now let us define a unitary transformation V^ in the 
Hilbert space TL as follows. The action of V^ on the subspace of Ti spanned by vectors 
{Til, hi} we set to be equal to Vi and the action of V^ on the orthogonal subspace to be 
equal to 0. 

The matrix U should be represented in the following product form 

u = V {ai) V ia2) V {aL) (1) 

where the matrices V s are quantum gates and v} 01 ^ is some extensions of V s to a matrix 
in the Hilbert space Ti described above. 
Quantum Gates. 

Consider the following set of unitary matrices 

G={V 1 ,V 2 } 

where V\ is the 2x2 matrix of rotations to an irrational angle 9 and Vi is the 4x4 matrix 
acting to the basis in C 2 <g> C 2 as 

V-i\x, y >= \x, x + y (mod 2) > 

where x, y — 0, 1. The matrix Vi is called the CNOT-operation. The matrices V\ and V% gives 
an example of universal quantum gates. By using these gates one can construct a unitary 
matrix of the form ([I]) which is close as we wish to any unitary matrix in C 2 " . 
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Exercise. Let Sg = {e 2m6n } be a set of points on the unit circle. Here 9 is a fixed 
irrational number and n = 0, ±1, ±2, ... Prove that the set Sg is a dense set on the unit 
circle. 

Let / be a classical Boolean function / : B k — > B m . Here B = {0, 1} and one assumes 
k < n and m < n. We say that the quantum circuit Q computes the Boolean function 
f : B k — > B m if the following bound is valid 



|< 0,f(xi,...,x k ) | U | xi,...,x k ,0 >\ > 1 — e 

for all Xi, x kl and some fixed < e < 1/2. Here | Xi, > is the vector for the 
computational basis of the form | xi, x k , 0, > (n — k zeros) and < 0, f(xi, ...,Xf.) \ is 
the vector for the computational basis of the form < 0, 0, f(x±, x k ) \ (m — k zeros). 

If there is a quantum circuit Q with the unitary operator U represented as a product of 
L unitary matrices (gates) in the form ([I]) then L is called the computational time of the 
quantum circuit. We are mainly interested in the studying of the dependence of L on the 
length of input k. 

There are different quantum circuits for size of input. Hence actually we deal with families 
of quantum circuits. The computational power of a family of quantum circuits should be 
equivalent to quantum Turing machine. This is provided by the requirement of uniformity. 
A family of quantum circuits is called uniform if its design is produced by a polynomial 
time classical computer and if the entries in the unitary matrices of the quantum circuits 
are computable numbers. 

For more details about models of quantum computations see for example || 0. 

4 Quantum Fourier Transform 

Consider the Hilbert space C 2 ® C 2 ...<8> C 2 = C 2S of the dimension q = 2 s . Quantum Fourier 
transform is the unitary transformation F q which acts to the computational basis as 

1 9-1 

F q \a>= — V e 2niab/q \b > 

V y fe=o 

Here 

\a >= |a a _i, a >, \b >= 1 6 S _ x, b > 
where one has the binary representations 

a = ao + a\2 + ... + a s _i2 s_1 , = 0, 1 

b = b + b 1 2 + ... + b s _ 1 2 s -\ &i = 0,l 
Example. Hadamard's Gate. 

For L = 1 the quantum Fourier transform is called the Hadamard gate, F 2 = H. It acts 
to the basis as 

#|0>=-L(|0>+|1>), 



s 



#|i>=^(|o>-|i>). 

We extend the action of the Hadamard gate to the s-qubit space as 

Hj = I <S> ... <S> H <S> ... <S> I, j = l,2,...,s. 

The quantum Fourier transform is multiplication by an qxq unitary matrix, where the x, y 
matrix element is e 2mxy / g . Naively, this multiplication requires 0(q 2 ) elementary operations. 
However, we will show that due to special properties of the quantum Fourier transform, it 
can be implemented asymptotically by means only 0((logg) 2 ) elementary operations. 

It is important to notice that the action of the quantum Fourier transform can be written 
in the factorized (unentangled) form: 

F 2s |a s _!, ...,a >= -^(|0 > +e < *° 2 *" 1 |l >) <g> (|0 > +e^ 2S ~ 2 |l >) <g> ... <g> (|0 > +e^|l >) 



where <p a = 27ra/2 s . 

We will prove that the quantum Fourier transform can be written as a product of matrices 
generated by Hadamard's gates and by the following 4x4 matrix B, 



B\a\, cio >= 



3 l7r / 2 |ai, a >, if ai = a = 1, 
|ai, a >, otherwise. 

We denote Bj ik , j < k the following extension of the matrix B: 

Bj : k\a s -i, Ofe, %, a >= e 16 ^ 1 \a s -i, a^, a > 

where 

'(e^ 2 )( fe -^, ifai = ao = l, 
1, otherwise. 

The computational complexity of the quantum Fourier transform is described by the follow- 
ing theorem. 

Theorem 4.1. Quantum Fourier transform in the space C 2 " can be represented as a 
product of 0(s 2 ) operators Hj and Bj^. 

Therefore there is a quantum algorithm for implementation of quantum Fourier transform 
which is polynomial as the function of the input size. 

Proof. To explain the proof of the theorem we define the reversal Fourier transform 

1 q ~ l 

Ff >,_!,..., a >= — 5> 2 ™^|5 , &!,.., 6 s _x > 
In particular one has 
One can prove an important formula 

jpRev 
i<2s 



rpRev rr n tt 

J^A — -no-DOl-"!- 



HoBo j i...Bo jS -iHi...B s -4 iS -3B s -4 iS -2B s -4 jS -iH s -3B s -3 jS -2B s -3 iS -iH s -2B s -2,s-lH s -i. 

In this formula one has s matrices Hj and s(s — l)/2 matrices Now since F q = F^ ev T 
where T is the transposition operator, the theorem follows. □ 
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5 Elements of Number Theory 



In this section we collect some relevant material from number theory ||10|| . 

Euclid's Algorithm. Given two integers a and b, not both zero, the greatest common 
divisor of a and b, denoted g.c.d.(a,b) is the biggest integer d dividing both a and b. For 
example, g.c.d.(9, 12 )— 3. 

There is the well known Euclid's algorithm of finding the greatest common divisor. It 
proceeds as follows. 

Find g.c.d.(a, b) where a > b > 0. 

1) Divide b into a and write down the quotient q± and the remainder r 1 : 

a = qib + r 1 , < r 1 < b, 

2) Next, perform a second division with b playing the role of a and r± playing the role of b: 

b = <?2?"i + r 2) < r 2 < ri, 

3) Next: 

n = q 3 r 2 + r 3 , < r 3 < r 2 . 

Continue in this way. When we finally obtain a remainder that divides the previous remain- 
der, we are done: that final nonzero remainder is the g.c.d. of a and b : 

r t = qt+2n+i + r t+2 , 

r t+l = Qt+3 r t+2- 

We obtain: r t+2 = d =g.c.d.(a,b). 
Example. Find g.c.d.(128, 24) : 

128 = 5-24 + 8, 
24 = 3-8 



We obtain that g.c.d. (128, 24) = 8. 

Let us prove that Euclid's algorithm indeed gives the greatest common divisor. Note 
first that b > r\ > r 2 > ... is a sequence of decreasing positive integers which can not be 
continued indefinitely. Consequently Euclid's algorithm must end. 

Let us go up through out Euclid's algorithm. r t+2 = d divides r t+ i, r t , r±, b, a. Thus d 
is a common divisor of a and b. 

Now let c be any common divisor of a and b. Go downward through out Euclid's algorithm, 
c divides ri,r 2 , ...,r <+2 = d. Thus d, being a common divisor of a and b, is divisible by any 
common divisor of these numbers. Consequently d is the greatest common divisor of a and 
&.□ 

Another (but similar) proof is based on the formula 

g.c.d.(qb + r,b) = g.c.d.(b,r). 
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Corollary. Note that from Euclid's algorithm it follows (go up) that if d =g.c.d.(a,b) then 
there are integers u and v such that 

d = ua + vb. (2) 

In particular one has 

ua = d (mod b) (3) 

One can estimate the efficiency of Euclid's algorithm. By Lame's theorem the number of 
divisions required to find the greatest common divisor of two integers is never greater that 
five-times the number of digits in the smaller integer. 

Congruences. An integer a is congruent to b modulo m, 

a = b (mod to) 

iff to divides (a — b). In this case a = b + km where k — 0, ±1, ±2, .... 

Proposition. Let us be given two integers a and to. The following are equivalent 

(i) There exists u such that au = 1 (mod to). 

(ii) g.c.d.(a, m) = 1. 
Proof. From (i) it follows 

ab — mk = 1. 

Therefore the g.c.d.(a,m) = 1, i.e. we get (ii). 

Now if (ii) is valid then one has the relation @ for d — 1, b = m: 

au = 1 (mod m) 

which gives (i).D 

Let us solve in integers the equation 

ax = c (mod m) (4) 
We suppose that g.c.d.(a, m) = 1. Then by the previous proposition there exists such b that 

ab = 1 (mod m). 
Multiplying Eq (|) to b we obtain the solution 

x = be (mod m) (5) 

or more explicitly 

x = be + km, k = 0, ±1, ±2, ... 
Exercise. Find all of the solutions of the congruence 

3x = A (mod 7). 
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Continued Fractions. 

Euclid's algorithm is closely related with continued fractions. If a and b are two integers 
then by using Euclid's algorithm we write 

a 1 

a = q 1 b + r 1 ; 7 = qi + 



b ^ ' b/n> 

b 1 

b = q 2 n + r 2 ; — = q 2 + 



n r 1 /r 2 

n 1 

n = q 3 r 2 + r 3 ; — = q 3 + 



r 2 n/r 2 



n 

r t = qt+2n+i + r t+2 ; = q t+2 + 



r t +i r t+1 /r t+2 



rt+i _ 

r 't+i — qt+3 r t+2', — qt+3- 

r t +2 



Therefore we obtain a representation of a/b as a continued fraction 

a 1 
b =<ll + 1 



<?2 + 



1 

<?3 + •• 



Qt+3 

Hence any positive rational number can be represented by a continued fraction. Fractions 

1 c 1 
d 1 = q 1 , d 2 = q 1 ^ , b 3 = q 1 H — r , ... 

5i 52 + - 

are called convergents. We will use the following 

Theorem 5.1. If x is a rational number and a and b are positive integers satisfying 

a 1 

then a/b is a convergent of the continued fraction of x. 

Chinese Remainder Theorem. Suppose there is a system of congruences to different 
moduli: 



x = di (mod mi), 
x = a 2 (mod m 2 ), 

x = a t (mod m t ) 
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Suppose g.c.d.(rrii, rrij) = 1 for i ^ j. Then there exists a solution x to all of the congruences, 
and any two solutions are congruent to one another modulo 

M = m 1 m 2 ...m t . 

Proof. Let us denote M { = M/rrii. There exist JVj such that 

MiNi = 1 (mod rrii) 

Let us set 

x = ^aiMiNi 

This is the solution. Indeed we have 

EciiMiNi = a\M\M\ + ... = a\ + a2 + ... = a-y (mod mi) 
i 

and similarly for other congruences. □ 
We will need also 

Fermat's Little Theorem. Let p be a prime number. Any integer a satisfies 

aP = a (mod p) 
and any integer a not divisible by p satisfies 

qP' 1 = 1 (modp). 

Proof. Suppose a is not divisible by p. Then {Oa, la, 2a, (p — l)a} form a complete set 
of residues modulo p, i.e. {a, 2a, (p — l)a} are a rearrangement of {1, 2, — 1} when 
considered modulo p. Hence the product of the numbers in the first sequence is congruent 
modulo p to the product of the members in the second sequence, i.e. 

a p l {p — 1) = (p — 1)! (mod p) 

Thus p divides (p — l)(a p_1 — 1). Since (p — 1)! is not divisible by p, it should be that p 
divides (a^ 1 - 1).D 

The Euler function. 

The Euler function <p(n) is the number of nonnegative integers a less then n which are 
prime to n: 

l fi{ n ) = #{0 < a < n : g.c.d.(a,n) = 1} 

In particular ip(l) = 1, ip(2) = 1, ip(6) = 2, .... One has ip(p) = p — 1 for any prime p. 
Exercise. Prove: (p(p n ) = p n — p n ~ x for any n and prime p. 
The Euler function is multiplicative, meaning that 

ip(mn) = (p(m){p(n) 

whenever g.c.d.{m,n) = 1. 
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If 

n = P?P?-p a k k 

then 

V(n)=n(l --)...(!--) 

Pi Pk 

In particular, if n is the product of two primes, n = pq, then 

ip(n) = (p(p)(p(q) = (p- l)(g - 1) 

There is the following generalization of Fermat's Little Theorem. 
Euler's theorem. If g.c.d.(a,m) = 1 then 

a^ m) = 1 (mod to). 

Proof. Let r±, r 2 , r v ( m ) be classes of integers relatively prime to to. Such a system is 
called a reduced system of residues mod m. Then ar 1 ,ar 2 , ...,ar^ m ) is another reduced 
system since g.c.d.(a,m) = 1. Therefore 

an = 7V ( i), ar 2 = rv (2 ), ar^ m) = rv (m) (mod to) 

On multiplying these congruences, we get 

d p(m \\r 2 ...r {p (r n) = rir 2 ...?>( m ) (mod m) 

Now since rir2...r v ( m ) is relatively prime to m the theorem is proved. □ 

We will use the following result on the asymptotic behaviour of the Euler function. 
Theorem 5.2. There is a constant C > such that for sufficiently large n one has 

y(») > g 

n — log log n 

6 Modular Exponentiation 

Sometimes it is necessary to do classical computations on quantum computer. Since quantum 
computation is reversible, a deterministic classical computation is performable on quantum 
computer only if it is reversible. It was shown that any deterministic computation can be 
made reversible for only a constant factor cost in time and by using as much space as time. 

In this section we discuss the modular exponential problem. The problem is, given N, a 
and to, to < N, a < N find m a (mod N). 

Theorem 6.1. There exists a classical algorithm for computation m a (mod N) which 
requires asymptotically 0(n 2 log n log log n) arithmetical operations with bits in the binary 
representation of the numbers where n = log N. 

Proof. The algorithm proceeds as follows. 

1. Write the binary representation 

a = a + 2ai + 2 2 a 2 + ... + 2 s a s 



14 



where a, = 0, 1 and a = 1. 

2. Set m = m and then for z = 1, s compute 



TOj = m^ 1 m as - i (mod iV) 

3. The final result is m s , 

m s = m a (mod iV) 
The validity of the algorithm follows from the relation 

mi = m «0+2a 1+ ...2X ( mod ^ 

Computation at the third step requires no more then three multiplication and it is re- 



peated no more then s < n = logiV times. There is the Schonhage-Strassen algorithm [JIT 
for integer multiplication that uses asymptotically O(nlognloglogn) operations on bits. 
This proves the theorem. □ 

Note that the Schonhage-Strassen algorithm is the best known algorithm for multiplica- 
tion of the very large numbers but for intermediate length numbers (several thousand digits) 
it might be better to use the original Karatsuba algorithm [|T^J which requires 0(n log23 ) 
operations, n = log N. 



7 Shor's Algorithm for Finding the Order 

Given N choose a random (with the uniform distribution ) m (1 < m < N). We assume 
gcd(m, N) = 1, otherwise we would already know a divisor of N. We want to find the order 
of m, i.e. the least integer r such that 

m r = 1 (mod N) 

Fix some q of the form q = 2 s with N 2 < q < 2N 2 . The algorithm will use the Hilbert space 

U = C q <g> C Nl <g> C fe 

where C q and C^ 1 are two quantum registers which hold integers represented in binary. Here 
Ni is an integer of the form N\ = 2 l for some I such that N < N%. There is also the work 
space C fc to make arithmetical operations. We will not indicate it explicitly. If 

a = a + 2a x + 2 2 a 2 + ... + 2 s a s 

is the binary representation (a, = 0, 1) of an integer a then we write 

la >= I ao > <8>..- <8> \a a > 



where 



io ■>=.;), n>-(; 



is the basis in the two dimensional complex space C 2 
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We have the data (N,m,q). The algorithm for finding the order r of m consists from 5 
steps: 

1. Preparation of quantum state. 

2. Modular exponentiation. 

3. Quantum Fourier transform. 

4. Measurement. 

5. Computation of the order at the classical computer. 
Description of the algorithm. 

1. Preparation of quantum state. Put the first register in the uniform superposition 
of states representing numbers a (mod q). The quantum computer will be in the state 

1 9-1 

ivi >= — i° > ®io > 

2. Modular exponentiation. Compute m a (mod JV) in the second register. This 
leaves the quantum computer in the state 



1 9-1 

|-02 >= ~F^2\ a> ®\ ma ( m od JV) > 



3. Quantum Fourier transform. Perform the quantum Fourier transform on the first 
register, mapping \a > to 

1 q ~ l 

The quantum computer will be in the state 



q-l q-l 

|^3 >= - ^^2e 2mac/q \c> ®\m a (mod JV) > 



a=0 c=0 

4. Measurement. Make the measurement on both registers |c > and \m a (mod N) >. 

To find the period r we will need only the value of |c > in the first register but for 
clarity of computations we make the measurement on the both registers. The probability 
P(c,m k (mod JV)) that the quantum computer ends in a particular state 

\c;m k (mod N) >= \c > ®\m k (mod (N) > 

is 

P(c, m k (mod N)) — \ < m k (mod JV); c|^ 3 > | 2 (6) 

where we can assume < k < r. 

We will use the following Theorem which shows that the probability P(c,m k (mod JV)) 
is large if the residue of rc (mod q) is small. Here r is the order of m in the group (Z/NZ)* 
of residues of modulo JV. 
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Theorem 7.1. If there is an integer d such that 



and N is sufficiently large then 



r -<rc-dq< r - (7) 



P(c,m k (mod N)) > — ^ (8) 



The theorem is proved below. 

5. Computation of the order at the classical computer. We know N, c and q and 
we want to find the order r. Because q > N 2 , there is at most one fraction d/r with r < N 
that satisfies the inequality (0). We can obtain the fraction d/r in lowest terms by rounding 
c/q to the nearest fraction having a denominator smaller than N. To this end we can use 
the continued fraction expansion of c/q and Theorem 5.1. 

We will prove the following theorem which summarizes main results of the quantum 
algorithm for finding the order. 

Theorem 7.2. If the integer N is sufficiently large then by repeating the first four steps 
of the algorithm for finding the order O(loglogiV) times one can obtain the value of the 
order r with the probability 7 > where the constant 7 does not depend on N. 

Now let us prove these results. 

Proof of Theorem 7.1. First let us notice the relation 



< m k (mod N)\m a (mod N) >- 
Hence the amplitude 



1, if a = k (mod r), 
0, otherwise. 



< m k (mod AO; c\tp 3 >= - 

q ^— ' 



^2iriac/q 



a 

where the summation on a runs on the subset a = k (mod r) of the set {0, 1, ...,q — l}. One 

sets 

a = br + k 

to get 

f 1 _ P 27ricr(/+l)/<j 

E^-Kiac/q _ V^ 1 e 2Tric(br+k)/q _ 1 c ^wick/q 
/ / \ g2mcr/q 

a b=0 

where / is the integer part 

/ lq - 1 ~ k 



Therefore the probability is 

P(c,m k (mod N)) 

which is equal to 



r 



I I _ e 2-nicr{f+l)/q\ 2 



1 sin 

P(c,m k (mod N)) 



2-Ktcr/q 
2 7rcr(/+l) 



2 sin 2 Tver 
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Now to prove the theorem we use the condition (|7|) and the relation 

2 7T 

sinx > —x, < x < — . □ 

71 2 

Proof of Theorem 7.2. If we know the fraction d/r in lowest terms and if d is relatively 
prime to r then we can derive r. There are r<p(r) states \c;m k (mod N) > which enable 
us to compute r because there are <p(r) values of d relatively prime to r and also there are 
r possible values for m h (mod N). By Theorem 7.1 each of these states occurs with the 
probability at least l/3r 2 . Therefore we can get r with probability at least (p(r)/3r. Now 
the theorem follows from Theorem 5.2. □ 



8 Computational Complexity of Shor's Algorithm 

Let us estimate the number of operations (or gates) needed to implement the first three steps 
of the Shor's algorithm for finding the order. 

Theorem 8.1. Shor's algorithm for finding the order of an element in the group of 
residues of modulo iV requires 

0((logiV) 2 (log log N) (log log log N)) (9) 

operations (gates) at a quantum computer. 

Proof. Let us estimate the number of operations (gates) needed to implement the first 
three steps of the algorithm at a quantum computer. 

To prepare the state \ipi > one needs 

s = logq = O(logiV) 

Hadamard's gates. 

Then let us consider the modular exponentiation. It is the most time consuming part of 
the algorithm. As it is discussed in Sect. 6, asymptotically, modular exponentiation requires 

0{n 2 log n log log n) (10) 

operations, n = O (log AT). The computation can be made reversible for only a constant 
factor cost in time and the same amount in space. 

Finally, it is shown in Sect. 4 that to make the third step of the algorithm, quantum 
Fourier transform, one takes 

0((logiV) 2 ) (11) 

quantum gates. Actually this is the key ingredient in the factoring algorithm. Just because 
of the polynomial bound ( |ITD we obtain the polynomial efficiency of the factoring algorithm. 
Now the theorem follows from estimates (|9|),( |l0|) and flTTp.D 
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9 Factoring Integers 



In this Section the factoring algorithm will be described. The factoring algorithm solves the 
following problem. Given an integer N, one has to find such integers p and q that N = pq 
or to prove that such a factoring does not exist. It is assumed that p and q are not equal to 
1. We shall use the algorithm for finding the order described in Sect. 7. 
Factoring Algorithm. 

1. Choose a random m, 1 < m < N (with uniform distribution) and find its order r by 
using the factoring algorithm from Sect. 7. 

2. If r is even, compute 

g.c.d.(m r/2 - 1,7V) 

by using Euclid's algorithm. 

3. If g.c.d.(m r l 2 — 1, N) > 1 then it gives a factor of N. In the case if g.c.d.[m r l 2 — 1, N) = 
1 or the order r of m is odd one has to repeat the steps 1 and 2 for another integer m. 

Let us explain why the algorithm works. Consider equation 

y 2 = 1 (mod N) 

There are trivial solutions 

y = ±1 (mod N) 
Suppose there is also a nontrivial solution y — b, 

b 2 = l(modN); 6 ^±1 (mod iV) 

Then 

(6 + l)(6- 1) = (mod N) 

i.e. 

(6 + l)(6- 1) = kN 

and neither of the factors 6+1 and b — 1 is (mod N). Thus, (b + 1) must contain one 
factor of iV and (b — 1) another. 

Now, if r is the order of m (mod N) and r is even, then b = rrfl 2 is the solution of 
equation b 2 = 1 (mod N). If m r l 2 ^ ±1 (mod N) then g.c.d.{m r l 2 — 1, JV) > 1. We have 
proved the following 

Lemma. If the order r of m (mod N) is even and 

m r ' 2 £ ±1 (mod N) 

then 

g.c.d.(m r/2 -l,N)>l 

The above process may fail if r is odd or if r is even but rrfl 2 is a trivial solution. However, 
due to the following theorem, these situations can arise only with small probability. 
Theorem 9.1. Let iV be an odd natural number with prime factorization 

n^pTpT-pT 
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Suppose m is chosen at random, 1 < m < N (with uniform distribution), satisfying 
g.c.d.(m, N) = 1. Let r be the order of m (mod N). Then 

Prob {r : r is even and m r ^ 2 ^ ±1 (mod iV)} > 1 — - (12) 

The probability is positive if k > 2. 

Proof. Since r is the order we never have m r / 2 = —1 (mod iV). One can prove that 

Prob {r : r is odd or m r / 2 = — 1 (mod iV)} < — 

by using the Chinese remainder theorem. □ 

Theorem 9.2. If an integer N is sufficiently large and if it is a product of at least two 
prime numbers then the factoring algorithm finds the factors with the probability greater 
then 7/2 where 7 is the constant defined in Theorem 7.2. One needs asymptotically 

0((logiV) 2 (log log N) (log log log N) ) 

quantum gates to implement the quantum circuit for the factoring algorithm. 

Proof. The conclusion of the theorem follows from the description of the factoring 
algorithm and from Theorems 7.2 and 9.1. □ 



10 Conclusions 



Factoring integers plays an important role in modern cryptography, see (T^|. This explains 
the significance of Shor's quantum factoring algorithm. 

There are important problems such as the traveling salesman problem, the integer pro- 
gramming problem, the satisfiability problem that have been studied for decades and for 
which all known algorithms have a running time that is exponential in the length of the 
input. These problems and many other problems belong to the set of iVP-complete prob- 
lems. It is unknown whether the factoring problem is iVP-complete. Probably it is only 
subexponential in the running time. 

An approach to the solution of iVP-complete problems by using a new paradigm of 
computations which goes beyond the quantum Turing machine is suggested in lyj. It is 



based on a combination of quantum computer with a chaotic dynamics amplifier and on an 
application of nonlinear Hartree-Fock dynamics in atomic quantum computer Jl5| . 
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